20 Jul Malicious URLs in .lc zone Dmitry Bestuzhev
03 May Internationalized Domain Names used to spread malware Fabio Assolini
13 Aug Whitelisting - how it protects us Dennis
08 Jul Hot Fail On SexBoosters Michael
15 May New domain standards, new challenges, new potential problems Dmitry Bestuzhev
14 Jul Bluelisting - pros and cons David
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Cybercriminals from different places of the world are actively using this domain, including cybercriminals from Brazil abusing free Web hosting available in that country.
How many legitimate domains at .lc zone have you ever had to visit in your life? If the answer is zero, so maybe it’s time to start filtering access to this domain, especially on the corporate Firewall / Proxy layer.
As we published last year, the first Internationalized domain names (IDN) using non-Latin characters appeared on the internet; these contain characters from Cyrillic, Arabic and other languages. We also started to see some news domains using diacritics such as “à, á, â, ã, é, ê, í, ó, ô, õ, ò, ú, ü, ç” in their names, or accents, for instance as seen in http://amarylliscomunicação.com.br.
It’s also important to point that some browsers and mail readers aren’t prepared to show these characters correctly. A domain in Arabic such as http://وزارة-الأتصالات.مصر/ might be shown as http://xn--4gbrim.xn----ymcbaaajlc6dj7bxne2c.xn--wgbh1c in your mailbox. We call this alternate way to show non-latin characters punycode.
During our regular monitoring of malicious activities in Brazil, we discovered an interesting and legitimate URL shortener service which is using the diacritics “ó.ò” in his name:
Malware writers are inventing new attacks regularly - but the anti-virus industry invents new protection techniques just as regularly. Whitelisting is on of the newer protection technology which are now standard in Internet Security products. It sounds positive, but how does it actually work? Does it overload your computer? How can developers whitelist their programs? Will whitelisting replace other protection technologies?
Join Andrey Nikishin, Director of Cloud and Content Technology Research, Vladimir Zapolyansky, Manager of Whitlelisting and myself as we discuss how whitelisting itself works. We will also discuss how software writers can join our program and what the benefits are for them.
Over the last couple of days we've been noticing a few pharmacy spam mails which are a bit different. Somebody seems to have replaced the original graphical content with an alert highlighting that such messages are malicious.
So far we have counted three (ab)used image hosting services for this spam:
A quick analysis of these showed that #1 currently serves all the replaced images, #2 serves all original spammers images and #3 seems to have removed the offensive content immediately, good work!
At the moment, we don't have any further information about the source/background of the warning replacements - this gives us plenty of opportunity to use our imaginations when thinking about what's actually going on. A few of the key words and concepts we're considering are: white hats, rival spammers, compromised hosting service(s). Not an exhaustive list, but more of a launch pad for further theories and research!